[Samba] Newly joined DC - Failed to bind to uuid for ncacn_ip_tcp .. NT_STATUS_INVALID_PARAMETER

Jonathan Hunter jmhunter1 at gmail.com
Tue Jan 28 17:52:28 UTC 2020 

Hi,

I managed to find some time to rebuild one of my DCs that had failed
due to hardware issues some time back (and was removed from the domain
at the time). Thanks to Rowland for helping out with samba-tool for
this.

However, despite following my normal build guide that I have used for
all my other DCs, this one straight away shows some replication errors
in the logs of some other DCs in the domain - and I'm not sure why.

I have probably missed something obvious / basic but I have been
staring at this for a while now and figured I would post here in case
someone can point me in the right direction! Hopefully-useful
information is below.

I first of all tried using samba 4.11.4 as that was the latest at the
time, but when that didn't work I tried 4.10.13 (since my other DCs
are all 4.10.x and I thought that this might fix the problem) - that
hasn't helped and the errors still appear.

The error I am getting in the logs on other DCs is below (this example
is from the log file on existing dc2, trying to replicate to newdc)
Jan 28 14:19:37 dc2 samba[3153]: [2020/01/28 14:19:37.115584,  0]
../../source4/librpc/rpc/dcerpc_util.c:737(dcerpc_pipe_auth_recv)
Jan 28 14:19:37 dc2 samba[3153]:   Failed to bind to uuid
11111111-2222-3333-4444-5555555555 for
ncacn_ip_tcp:192.168.1.6[49153,seal,krb5,target_hostname=66666666-7777-8888-9999-0000000000._msdcs.mydomain.org.uk,target_principal=GC/newdc.mydomain.org.uk/mydomain.org.uk,abstract_syntax=11111111-2222-3333-4444-5555555555/0x00000004,localaddress=192.168.1.3]
NT_STATUS_INVALID_PARAMETER


Previous google searches uncovered some mentions of TLS issues but I
do have a current cert in /usr/local/samba/private/tls that matches
the certs on my other DCs (I use an internal CA) - i.e.
newdc.mydomain.org.uk. I think the issue must lie elsewhere but I'm
not a kerberos expert and am not sure how to debug this,
unfortunately.

I did find a post from a poor chap called Jonathan Hunter :) who had a
similar issue in 2016:
https://lists.samba.org/archive/samba/2016-September/202777.html
However this wasn't the issue this time - I checked that the
"127.0.1.1" line was not present in /etc/hosts, but I'm still getting
these 'failed to bind to uuid' errors :(

I've checked the clocks and they are successfully synchronised via NTP.

As suggested in another thread, I have checked with KCC but as
expected it fails:
dc2$ sudo samba-tool drs kcc newdc.mydomain.org.uk
Failed to bind to uuid 11111111-2222-3333-4444-5555555555 for
ncacn_ip_tcp:192.168.1.6[49153,seal,target_hostname=newdc.mydomain.org.uk,abstract_syntax=11111111-2222-3333-4444-5555555555/0x00000004,localaddress=192.168.1.3]
NT_STATUS_UNSUCCESSFUL
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
newdc.mydomain.org.uk failed - drsException: DRS connection to
newdc.mydomain.org.uk failed: (3221225473, '{Operation Failed} The
requested operation was unsuccessful.')
  File "/usr/local/samba/lib/python3.4/site-packages/samba/netcmd/drs.py",
line 54, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/local/samba/lib/python3.4/site-packages/samba/drs_utils.py",
line 63, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))


Installation steps I followed (ostensibly the same as my other DCs,
but perhaps I missed something):
  - set static IP of machine
  - add local LAN IP to /etc/hosts
  - install pre-requisite .deb packages
  - set up NTP
  - compile & install samba
  - join domain
  - copy krb5.conf to /etc
  - place signed key & cert in /usr/local/samba/private/tls/
  - run samba_dnsupdate
  - start samba


My smb.conf is the same as on my other DCs and is as follows

# Global parameters
[global]
        netbios name = NEWDC
        realm = NEWDC.MYDOMAIN.ORG.UK
        server role = active directory domain controller
        workgroup = MYDOMAIN
        dns forwarder = 192.168.2.10 192.168.3.11
        idmap_ldb:use rfc2307 = yes
        # Need NTLM Auth for radius
        ntlm auth = yes


[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/mydomain.org.uk/scripts
        read only = No

[dfs]   # this doesn't actually work but hey, I was trying some time back..
        path = /usr/local/samba/dfsroot
        msdfs root = yes




Checking from dc2, DNS seems to be correct:

dc2$ host newdc.mydomain.org.uk 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

newdc.mydomain.org.uk has address 192.168.1.6

and

dc2$ host 66666666-7777-8888-9999-0000000000._msdcs.mydomain.org.uk 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

66666666-7777-8888-9999-0000000000._msdcs.mydomain.org.uk is an alias
for newdc.mydomain.org.uk.
newdc.mydomain.org.uk has address 192.168.1.6


newdc does have port 445 open:
dc2$ nc -v 192.168.1.6 445
Connection to 192.168.1.6 445 port [tcp/microsoft-ds] succeeded!
^C

and seems to be listening on the correct other ports, also
newdc$ netstat -an -A inet | grep LISTEN
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:88              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:8125          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:19999           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:49152           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:49153           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:49154           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:3268            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:3269            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:135             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:873             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:464             0.0.0.0:*               LISTEN

I'm not sure what to check next. Other than enabling level 10 logging
globally, is there something more I could check on the new DC?


The domain join seemed to go fine - stdout output is below (I have
stderr too, if needed)
Adding CN=NEWDC,OU=Domain Controllers,DC=mydomain,DC=org,DC=uk
Adding CN=NEWDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain,DC=org,DC=uk
Adding CN=NTDS Settings,CN=NEWDC,CN=Servers,CN=Mysite,CN=Sites,CN=Configuration,mydomain,DC=org,DC=uk
Adding SPNs to CN=NEWDC,OU=Domain Controllers,DC=mydomain,DC=org,DC=uk
Setting account password for NEWDC$
Enabling account
Calling bare provision
Provision OK for domain DN DC=mydomain,DC=org,DC=uk
Starting replication
Missing target object - retrying with DRS_GET_TGT
Replicating critical objects from the base DN of the domain
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=mydomain,DC=org,DC=uk
Replicating DC=ForestDnsZones,DC=mydomain,DC=org,DC=uk
Committing SAM database


I don't know much about SPNs - is there anything I can check there, perhaps?

Many thanks :)

Jonathan

-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

More information about the samba mailing list